ACTION - 47 Provide input on trust model and access control model
definitions
Summary:
Both the Nokia [1] and BONDI [2] approaches are significantly similar
but there are some differences in the way trust and access control
models are handled in the security framework. Those differences are
presented below.
Trust models
* Nokia:
o Considers 2 separate modules: trust manager and access
manager.
o The trust manager determines the trust domain that will
be applied. The trust domain might also be determined at installation
time (e.g. for widgets).
o The access manager creates a security session where the
access decision is made.
* BONDI:
o The framework must permit fine-grained security policies
to be represented as well as policies based on broad groupings of APIs
and assignment of web applications to a small number of trust domains.
For example, a fine-grained security policy is necessary to grant or
deny access to individual APIs for individual web applications.
o That is, it is possible to define a security policy
following a trust domain approach but there is no separate module in the
BONDI architecture where trust domains are assigned.
o The framework is based on a very general model that
governs access by subjects to resources based on a hierarchy of policies
and policy sets, where each policy consists of a number of rules.
Subjects and resources are characterised by a number of defined subject
attributes and resource attributes. A range of attributes is defined so
that policies can be expressed controlling access based on a Widget
Resource signer's identity, or an individual Widget Resource identity,
or the Widget Resource signature's root certificate, or a Website's URL
Policies
* Nokia:
o Considers 2 components of policies: trust policies and
access control policies.
o Trust policies provide mappings between certain
properties (e.g. origin url) and trust domains.
o The trust domains can be customized by the policy
author.
o Access control policies define the capabilities assigned
to a set of trust domains.
* BONDI:
o Does not make differentiation between trust and access
control policies. Both can be implicitely included in the same policy
document.
o BONDI describes mechanisms that support the structuring
of security policies into a hierarchy of separately defined and managed
elements with defined combining rules.
When is access control applied?
* Nokia:
o The security engine has nothing to say about how and
when the access control is applied. This is up to the implementation of
the web content engine and/or device API implementation. The security
engine does not itself control access, rather it acts as a Policy
Decision Point (PDP).
* BONDI:
o The BONDI access control system, from a logical
perspective, mediates any attempt by an executing Web Application to
access Device Capabilities using JavaScript APIs.
Other considerations about trust models from [3] and [4]
* Certificates and digital signatures have been used for trust
establishment with installable apps.
* Dig Sigs have a tendency to centralize trust authority to
individual companies, which have lots of control in the content
distribution and adoption phases.
* The security frameworks used by existing mobile application
frameworks, such as Java and Symbian, include a policy enforcement
mechanism as part of the application environment itself, and user
application identity and trust models derived from certificate
architectures.
* Security frameworks where the notion of trust (the rule that
determines what a particular application can rightfully access) can be
provided by an architecturally distinct component.
[1]
http://lists.w3.org/Archives/Public/public-device-apis/2009Nov/att-0012/
SecurityPolicy_09.pdf
[2]
http://bondi.omtp.org/1.01/security/BONDI_Architecture_and_Security_v1_0
1.pdf
[3] http://lib.tkk.fi/Dipl/2009/urn100073.pdf
[4] http://www.w3.org/2008/security-ws/report
Thanks,
Laura Arribas
Security Technologies Researcher
Vodafone Group R&D
Tel: +44 (0) 7775411861
Fax: +44 (0) 1635231776
E-mail: laura.arribas@vodafone.com
Vodafone Group Services Limited
Registered Office: Vodafone House, The Connection, Newbury, Berkshire
RG14 2FN
Registered in England No 3802001.